Cyber Security Challenge Brings Out the Best

As we grow increasingly dependent on technology to do everyday tasks as well as share critical information, the ability to resist and sustain attacks from malicious computer hackers becomes more important.

Anup Ghosh. Creative Services photo

That was the premise behind a cyber security grand challenge supported by a National Science Foundation grant that recently took place at the USENIX Security Conference in Montreal, Canada. The challenge was organized by Anup Ghosh, research professor and chief scientist in Mason’s Center for Secure Information Systems, and colleagues at the University of California, Santa Barbara, and the International Computer Science Institute in Berkeley, Calif.

“We designed this challenge to be different from all the others out there,” says Ghosh. “We didn’t ask people to hack into a system, but instead we asked them to be defenders. We wanted them to create an environment where a server could function with integrity and minimum required service levels even when under attack.”

Teams from all over the United States and Canada signed up for the challenge, including three students from Mason. Team An0nym0us members were Rhandi Martin and Zhaohui Wang, who are both pursuing a PhD in Computer Science with specializations in security; and Fox Chambers, who recently completed a master’s degree in information security and assurance.

Participating in the competition was a double challenge for Mason’s team members since they had little advance knowledge of the competition and only one week to prepare. However, they earned third-place honors and brought home a $1,000 cash prize, courtesy of BAE Systems, the challenge’s prize money sponsor.

In the challenge scenario, the teams attempted to secure server systems that are often used to handle sensitive health records. Each team received a virtual server that contained a number of hidden security flaws implanted by the organizers.

“I felt that the situation they gave us to work with was very realistic,” says Wang. “These kinds of vulnerabilities and threats happen on the Internet every day. Because of the realness of the scenarios, if you understand real world threats, then you know where to look for the security weaknesses.”

On day one of the competition, the teams had until noon to work on their servers before turning them over to conference organizers. The servers were returned to the teams several hours later for more work. The teams then had until 9 a.m. on day two to complete work on their servers.

During the competition, an automated scoring system kept track of what services were functional. At the same time, an automatic attack system performed disruptive attacks against the services.

“At times I felt like I was in over my head because my background is in network security, not systems security,” says Martin. “I never dreamed we would place, but our faculty advisor, Angelos Stavrou, had confidence in us and was there supporting us the whole time. When we were up at 3 a.m., Angelos was right there with us. In the end our hard work paid off.”

Ghosh and his fellow organizers hope to make the grand challenge an annual event at the USENIX Security Conference. Ghosh explains that the goals of the challenge are twofold: to promote awareness of cyber security, particularly among students; and to show the industry that the concept of an unhackable server is possible.

“We are trying to motivate people to be innovative and develop solutions that others haven’t thought about, particularly in the commercial community where people aren’t sponsored by research,” says Ghosh. “For that reason, being at a research conference where the goal is to design solutions is really the perfect venue for this type of challenge.”